How HR Can Help Build a Human Firewall

Tony Barnes, MBA, MIS (Security), CISSP, is CEO of ANZ cyber security specialists Cyber Research. In this guest blog, Tony discusses new Australian research on the most common form of cyber-attack on Australian businesses today and how HR is an essential partner in the fight.

“When your staff are under cyber assault every day, a Human Firewall is the most important cyber security defence you’ll ever build with the biggest ROI.”

Organisations in Australia and around the world are moving aggressively to fight cyber-attacks on their businesses. Global spending on cyber security has reached more than $81 billion in 2016 and continues to rise. But organisations that invest solely in technology solutions are largely missing the point and leaving a gaping hole in their defences. Cyber Security is as much an HR issue as it is a technology one. And new research in Australia this week shows why that’s truer than ever.

Cyber warfare between nation states and massive data breaches of government and global corporates by hackers grab the headlines every day. But it’s actually a much more mundane issue that poses the greatest threat to Australian businesses and their global counterparts. We’ve all experienced it and it’s growing by the day.

Email attacks on employees (usually phishing emails designed to hook the recipient into clicking on a malicious link or attachment) are by far the number one attack vector on organisations large and small in Australia today and the biggest challenge by volume for businesses to defend against. General phishing attacks (targeting millions), spear phishing attacks (targeting specific individuals), and whaling attacks (targeting big fish like CEOs and CFOs) are at the heart of the problem. They are so prevalent for one reason only – because they work.

With the average office worker receiving 122 emails each day, it makes perfect sense that phishing is the top attack vector in data breaches.

According to a new survey this week by phishing simulation and training organisation Phishme, the average Australian now company gets more than 500 malicious emails every business week. That’s 26,000 a year. According to the Ponemon Institute, who track global data breaches, malicious or criminal attacks account for 48% of data breaches in Australia in 2017.

In line with phishing response trends emerging from the US and the UK markets, Australian-based organisations report in the Phishme survey that they are just as unprepared to combat phishing attacks today, despite having dealt with increasing email-related incidents over many years. These are the stats:

89% of companies have dealt with security incidents originating with a deceptive email – that means ransomware, Trojans, viruses, stolen credentials and more.

Over a third of respondents get more than 500 phishing emails weekly

Nearly all respondents have between one and four security layers already in place but still, malicious emails reach the desktop, where staff are one click away from trouble.

Email-related threats are Australia’s biggest security concern, and over 50% of respondents highlighted technology alone isn’t the answer to phishing.

With statistics like these, it looks like we’re far from winning the war. We are not even holding ground. Clearly then, Australian businesses are being flooded with suspicious emails targeting employees but are ill-prepared to process and respond to those threats.

In February next year, Australia’s new data breach law comes into force. This is where things get hot for all businesses who collect or hold customer data which could be considered Personal Identifiable Information (PII). The Australian government now mandates that organisations report data breaches. If a business suffers a data breach that a reasonable person feels would cause “physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm,” then they are obliged to report it to Australia’s Privacy Commissioner within 30 days. As well as statutory fines of up to $1.8m for companies and $340,000 for directors, this also brings the potential for legal action and reputational damage.

IBM reported recently that the average cost of data breaches to date for Australian companies is $2.51 million. And that was before the new data breach legislation. Costs will only escalate for those caught out. With nine out of 10 Australian organisations surveyed having experienced a phishing-related incident and almost all still worrying about email-related threats, it’s obvious there’s much work to be done.

So what’s the role of HR?

Well, HR has a real and significant role to play here. Staff training is one aspect – we’ll come to that in a moment. But before that, answer this…how many of your staff do you think have read your company’s technology use policy since they started with the company, and signed the document along with their employment contract? How many do you think actually read it the first time around? How many could recall it today? These are the people who use computers, phones, and open email in your business all day, every day. They are the weakest link. That has to change.

If you don’t have both policy and process related to acceptable use of IT that your staff are familiar with, trained on and take seriously (incorporating how to recognise and what to do about cyber threats), then frankly your organisation probably deserves to be in the group of companies that are either about to be breached, or have already been breached (and don’t know it yet).

Today’s cyber threats mean that HR and IT need to collaborate and work on policy and processes that help staff to protect the business and themselves. It’s especially important in roles where staff have privileged system access – system administrators and anyone with financial system access or access to IP and sensitive data. Reviewing access controls and adding factors of authentication for these staff members is critical. In today’s environment, this is now the basic starting point. There shouldn’t be a system administrator in the world who isn’t required to operate without two factor authentication and long, complex passwords at a bare minimum. If not, they and their systems are wide open to hackers whose job – 24/7 – is to send phishing emails and harvest usernames and passwords so they can get access to those very systems.

Commitment to training is the second way that HR can make a significant impact on the security posture of the organisation. Teaching staff to recognise phishing emails in particular and know what to do about them can’t be overstated in importance. Phishing simulation platforms are easy to use and remarkably effective. In just a few weeks of running a simulated phishing campaign – where you send staff authorised, safe phishing emails that deliver training and reinforcement when they click in error, rather than deliver malware – you can make a massive impact and drive down ‘susceptibility to click’. The Return on Investment for training staff in cyber awareness is, in our opinion and experience, nothing short of massive. Cyber awareness training just works. If a few hours training a year stops a data breach with a value of $2.1m and the associated business disruption, then the ROI should be obvious to everyone.

But without good policy and procedure alongside training, an organisation has no consequence to set and follow through within the event that a boundary is crossed by staff who constantly fall foul of phishing emails or just don’t care what they click on (and believe me from experience, there are always a few in every organisation like this).

When organisations take their IT use policies seriously, make them fit for today’s cyber threats, and train staff on how to spot and avoid cyber-attacks, then the organisation is well on its way to creating a ‘human firewall’. This is part of the first line of defence, not the last. When technology fails, or the bad guys learn how to get around today’s defences, then your staff are all you’ve got to rely on. Can you really afford not to ensure they are adequately prepared?